Advanced Ping: httping, dnsping, smtpping

I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.

I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!

This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions. Finally, a pcap file can be downloaded that shows the sample runs of all three tools.

httping

As the name implies, httping sends HTTP requests. Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub. Some information about it can be seen here. The installation process looks as follows:

1

2

3

4

sudo apt-getinstall libncursesw5-dev libssl-dev libfftw3-dev gettext

git clonehttps://github.com/flok99/httping.git

cdhttping/

sudo makeinstall

(Note that a simple
sudo apt-getinstall httping delivers a very old version of httping and is not recommended.)

For a basic functionality it only needs the hostname as an option, such as
httping weberblog.net . Many more options are available and it also supports HTTPS with SSL/TLS. Examples:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

weberjoh@jw-nb12:~$httping weberblog.net

PING weberblog.net:80(weberblog.net):

connected to80.237.133.136:80(400bytes),seq=0time=381.24ms

connected to80.237.133.136:80(400bytes),seq=1time=394.30ms

connected to80.237.133.136:80(400bytes),seq=2time=373.54ms

connected to80.237.133.136:80(400bytes),seq=3time=370.39ms

connected to80.237.133.136:80(400bytes),seq=4time=396.91ms

^CGot signal2

---weberblog.netping statistics---

5connects,5ok,0.00%failed,time6408ms

round-trip min/avg/max=370.4/383.3/396.9ms

weberjoh@jw-nb12:~$

weberjoh@jw-nb12:~$

weberjoh@jw-nb12:~$

weberjoh@jw-nb12:~$httping-6https://www.insinuator.net/

Auto enabling SSL due tohttps-URL

PING www.insinuator.net:443(/):

connected to[2003:60:4010:11b0::12]:443(279bytes),seq=0time=685.03ms

connected to[2003:60:4010:11b0::12]:443(279bytes),seq=1time=712.15ms

connected to[2003:60:4010:11b0::12]:443(279bytes),seq=2time=631.81ms

connected to[2003:60:4010:11b0::12]:443(279bytes),seq=3time=722.95ms

^CGot signal2

---https://www.insinuator.net/ping statistics---

4connects,4ok,0.00%failed,time6228ms

round-trip min/avg/max=631.8/688.0/723.0ms

weberjoh@jw-nb12:~$

Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark, one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):

dnsping

The dnsping tool out of the DNSDiag toolkit, available on GitHub, sends DNS queries. To install it, use the following commands:

1

2

3

4

sudo apt-getinstall python3-pip

git clonehttps://github.com/farrokhi/dnsdiag.git

cddnsdiag/

pip3 install-rrequirements.txt

Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):

Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:

If no sender (-S mail@address.foo) is present, some email gateways will declare the messages as SPAM. Seen at the Cisco ESA appliance.

This is how a test mail looks like in Thunderbird.

Wireshark capture of smtpping: SYN, cleartext mail, FIN.

Wireshark follow TCP stream 1/2.

Wireshark follow TCP stream 2/2.

pcap

If you want to click around by yourself you can download the following pcap file. It consists of the traces shown above. (Only the packet numbers and the stream indices are not corresponding since it is not the full trace I initially saved.)

At the End

I am really happy with those tools. They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!